Diebold Code Spill Hikes Electronic Voting Security Concerns
Oct 23, 2006 1:50 PM PT
Election technology vendor Diebold suffered a leak of the original software code used to run older versions of its controversial e-voting machines late last week. The incident fueled doubts about the security of e-voting machines in general and raised concerns over voter confidence in the technology as U.S. elections loom just two weeks from now.
The code reportedly was leaked when three disks that had been provided to testing companies were sent anonymously to Cheryl Kagan, a former delegate in Maryland's state legislature who now works at the Carl Freeman Foundation and has been a vocal critic of the state's election system.
The disks appear to contain code for programs used during a testing session by an independent firm in November 2003 and not for versions used this year. However, if the disks are determined to be authentic, Diebold could suffer additional damage to its reputation. Critics have already raised doubts over its ability to securely and accurately tabulate election results.
Diebold implicated testing organizations Ciber and Wyle for last week's breach, saying those firms had possession of disks containing the code used in its BallotStation touchscreen software and its GEMS tabulation software. At the same time, Diebold downplayed the impact of the exposure, claiming no jurisdictions are now using the BallotStation solution, while use of GEMS is currently minimal.
"The availability of this software poses no threat to the safety, security and accuracy of elections in any jurisdiction using Diebold Election Systems voting machines," the company said.
Not Quite Closed
The incident is reminiscent of a source code spill in 2003 that resulted in significant security scrutiny and criticism of the company.
The latest disclosure highlights the need for transparency in election systems, argued e-voting expert Avi Rubin, a critic of Diebold's closed code and author of Brave New Ballot.
"I don't see it as a direct threat to the election, but it does undermine the arguments about keeping source code secret," Rubin told TechNewsWorld. "It ... gets out sometimes, as Diebold has now shown on two occasions. You have to wonder how often it gets out and we don't find out about it."
Rubin's opinion, which has been echoed by other e-voting experts, is that if Diebold would open its e-voting system code, "then this issue would go away." He and others are calling for the use of open source software with elections systems in addition to a voter-verified paper audit.
Chorus of Doubt
The paper ballot nightmare of the 2000 presidential contest motivated many U.S. states and voting districts to switch to electronic voting. However, security issues and other election debacles, including Maryland's recent primary, have raised a chorus of doubt over e-voting.
The FBI is investigating Diebold's latest code spill, according to the firm, which maintains that its election systems and software are secure as long as local officials properly administer access and security using encryption and other methods.
Still, questions about accuracy and voter confidence have persisted, prompting some states, such as North Carolina and California, to consider action to achieve transparency in election systems and software.
Earlier this month, vendor ES&S agreed it would comply with technology disclosure requirements in a proposed California bill, leaving Diebold "the only major vendor" that did not explicitly agree to disclosure, according to the Open Voting Consortium.
Rubin, a Johns Hopkins University professor who sounded security alarms over Diebold's election code three years ago, has faulted the election and ATM vendor for its vulnerable code. The security of e-voting has also been challenged by Princeton Professor Ed Felten and his computer science team, who recently demonstrated the ease of stealing an election based on a Diebold system.
Although other companies may be agreeing in theory to code and system transparency, Rubin pointed out that Diebold is, in fact, far from alone in adopting a closed-code policy.
"I think all the major vendors are keeping their code proprietary, and the other vendors are glad that Diebold is the one that constantly ends up in the press," he said.